FTC Puts an End to Facebook's Freewheeling Privacy Ways

Facebook has repeatedly antagonized privacy advocates with its cavalier approach to sharing members' information, but if its users were by and large willing to tolerate those practices, the FTC wasn't. The agency brought some serious charges against Facebook, and the social network has agreed to clean up its privacy act in order to settle them.

By Erika Morphy
11/30/11 9:18 AM PT

Facebook has agreed to settle charges of privacy violations with the Federal Trade Commission. As part of the settlement, the social networking giant will submit to periodic independent privacy audits for the next 20 years. The company has also agreed to ask users for permission before changing the way their data is released.

The agreement stems from FTC charges that Facebook has reneged on privacy promises it made to its users over the years -- so much so that at times its actions have threatened the "health and safety" of the users.

For example, in December 2009, Facebook changed its website so certain information that users designated as private was made public, without warning users that this change was coming, or getting their approval in advance, according to the FTC.

Facebook also told users that third-party apps they installed on the site would have limited access to their information. In fact, the agency said, the apps could access nearly all of users' personal data -- data the apps didn't need. And so on.

The FTC cited at least seven major breaches by Facebook, which is likely why it included in the agreement a clause barring the social network from making any further deceptive privacy claims, in addition to its other requirements.

Facebook will be subject to fines of US$16,000 per user per violation if it fails to live up to the agreement.

The FTC did not respond to our request for further details.

Changes at Facebook

For its part, Facebook put on its best game face as it explained how it intends to fulfill what has been the FTC's most severe rebuke of its operations to date.

"Overall," CEO Mark Zuckerberg wrote in a blog post, "I think we have a good history of providing transparency and control over who can see your information.

"That said, I'm the first to admit that we've made a bunch of mistakes," he continued. "In particular, I think that a small number of high profile mistakes, like Beacon four years ago and poor execution as we transitioned our privacy model two years ago, have often overshadowed much of the good work we've done."

Zuckerberg did not reveal much detail into how exactly the agreement will be executed at Facebook. He said that the FTC "recommended improvements to our internal processes" that Facebook has embraced "by agreeing to improve and formalize the way we do privacy review as part of our ongoing product development process."

Two New Corporate Roles

Facebook is also creating two new corporate officer roles to help it comply with regulations around the world, Zuckerberg said.

Erin Egan, a partner and co-chair of the global privacy and data security practice of Covington & Burling, will become chief privacy officer, policy.

Michael Richter will become chief privacy officer, products. Richter is currently chief privacy counsel on the company's legal team.

Facebook did not respond to our request for further details.

'A Big Step Forward'

This agreement is a major step forward in privacy rights for consumers, John M. Simpson, director of Consumer Watchdog's Privacy Project, told the E-Commerce Times.

"With this agreement, as well as a similar one it forged with Google, the FTC has put the industry on notice that it is serious about protecting consumers' privacy," he said.

The independent privacy audits are perhaps the most significant of the concessions Facebook has made, noted Simpson. "I think they will go a long way to keeping Facebook on the right path."

That said, the FTC should have levied a fine against Facebook for its violations to date, he suggested. "What they have done have been pretty egregious violations of their promises, and those should have been subject to sanctions."

Still, with Facebook's ever-growing membership, a $16,000 per user per violation fine could become pretty hefty very quickly, even for a multibillion-dollar company.

"I am satisfied by what I have seen of the agreement," Simpson concluded.

Privacy Loopholes?

The agreement is significant, given Facebook's past foot-dragging, Amber Yoo, spokesperson for the Privacy Rights Clearinghouse, told the E-Commerce Times.

However, there are still some questions about Facebook's responsibilities that could have a serious impact on people's privacy, she pointed out.

The agreement appears to apply retroactively to what people have already shared on Facebook, said Yoo, "so whenever Facebook rolls out new features, they would not be part of the agreement."